Enabling pf for transparent proxy on Mac OS X Mountain Lion

Question

I'm doing some usability testing of a web application and am attempting to debug and record some SSL sessions using mitmproxy as a transparent proxy and for some reason pf under Mac OS X Mountain Lion isn't setting up the transparent redirects.

First, I enable forwarding:

sudo sysctl -w net.inet.ip.forwarding=1

Next, I create a simple pf.conf file with a single line on it:

rdr on {en1, en0} inet proto tcp to any port {80, 443} -> 192.168.1.40 port 3128

Where the 192.168.1.40 is the remote host that is currently running mitmproxy and en1 and en2 are the main outgoing interfaces on the Mac.

Finally, I start up pf with the following commands:

sudo pfctl -vf pf.conf
sudo pfctl -e

However, nothing happens. When I list the currently running rules for pf with pfctl -sr it doesn't show anything.

I've confirmed that pf can work on the machine by giving it a dummy rule which blocks all outbound access to port 80 and that works.

Any hints about what else I need to do to enable pf to redirect web traffic to a transparent proxy on Mac OS X Mountain Lion?

Answer 1

Did you try net.inet.ip.scopedroute=0? From http://lucumr.pocoo.org/2013/1/6/osx-wifi-proxy/:

Now currently if you finish that above setup you will notice that nothing actually works. The cause for this is a Bug in the OS X kernel that requires flipping the net.inet.ip.scopedroute flag to 0. I am not entirely sure what it does, but the internet reports that it breaks network sharing through the user preferences. In any case it fixes ipfw based forwarding so you can flip it with sysctl:

$ sudo sysctl -w net.inet.ip.scopedroute=0

Unfortunately in OS X Lion this flag can actually not be flipped from userspace so you need to set it as boot parameter and then restart your computer. You can do this by editing the /Library/Preferences/SystemConfiguration/com.apple.Boot.plist file (continued...)